Thursday, 28 August 2008

The Go Card has started up in Brisbane this year. It's a card that lets you travel on public transport - you load the card up with credit, and touch it to a reader when you get on and off buses, trains and ferries. But the card is very insecure, and three different groups of academics have been able to crack it, which means they could easily create a fake card and use it to get free transport. The card could be cracked by someone with cheap equipment in just a few seconds. Meanwhile, the company that makes the cards, NXP Semiconductors, has been trying to suppress the information about the card's weaknesses, instead of fixing the problems.

The Go Card is actually a Mifare Classic card, made by NXP Semiconductors, a Dutch company. Mifare Classic cards are used all over the world, including in London, where they are branded as the well-known Oyster Card. NXP sent a letter on July 29th to its customers who use the Mifare Classic card, saying:

We are investigating protection scenarios for systems using MIFARE Classic, as in some systems insufficient mechanisms to detect fraudulent cards may have been implemented. Mindful of the above, we urgently ask you to contact your system integrator for an assessment of your systems. Extensive additional protection mechanisms are recommended [emphasis added], both on how the data on the card is used as well as deploying additional security layers separate from the card.

NXP also used the letter to do a bit of upselling:

Depending on the specific situation in existing MIFARE Classic access management infrastructures, in many cases the usage of more sophisticated card ICs may be recommendable. DESFire EV1 and MIFARE Plus (available in Q4 2008) are our recommended solution for new access management implementations where a strong level of security is required.

In a statement last week, Queensland Transport said it was pursuing security concerns with Cubic, the Australian operator of the go card system.

"Cubic has provided advice that the go card ticketing system is not at risk from the most recent claims raised regarding the Mifare Classic smart card," the statement said.

A Queensland Transport spokesman said it was Cubic's responsibility to provide a ticketing system "fit for purpose", including appropriate security systems.

"TransLink has received further advice from Cubic in March 2008 regarding the need for an ongoing security review due to technology advances as a normal and prudent approach to managing a smart card ticketing system," the spokesman said.

"TransLink has commenced and will continue assessing its responses to ensure system security remains paramount."

However, Mr Nohl [a member of one of the groups that cracked the cards] said he believed operators would be confident of the system's security until faced with an actual attack on its integrity.

"I'm sure they are very confident of it [the system] until someone comes around and cracks it," he said.

"The Mifare system was marketed as having advanced levels of protection, proved security and that's what people thought they had a few months ago and now our research has shown them quite the opposite."

NXP Semiconductors regrets to inform you on the decision of the court in Arnhem from July 18th to allow the publication by the IT security specialists from the Radboud University Nijmegen, which includes attacks on MIFARE Classic systems. The University intends to present the publication during a conference on October 6th, with information on how the protocol and algorithm were reverse engineered, the description of the protocol and algorithm and the description of some practical attacks which can be carried out with limited means.

This report from the Radboud University Nijmegen will reduce the barrier to carry-out actual attacks on infrastructures using MIFARE Classic, which prompted our request for a delay in its publication in order to allow for a reasonable time for appropriate system security upgrades.

As we were not successful in our request, you may want to address your interests directly with the University of Nijmegen, in relation to the disclosure of security risks to your systems in the aforementioned publication.

This article in Wired Magazine explains why it is dangerous to let companies that make security systems to keep secret the flaws in their systems. The article quotes the Dutch court:

"Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."

It will be interesting to see what happens here in Brisbane. Will Translink make any changes at all to the Go Card? Will they sue Cubic, and will Cubic in turn sue NXP Semiconductors, for making an easily cracked product? Will NXP pretend that it's all the fault of the bad universities, instead of making cards that can't be easily cracked? One thing is for sure: the only way we are going to get to know of flaws like this is if companies can't sue people into silence. I wonder what NXP Semiconductors would have done if no-one had bothered to research their cards. My guess: NOTHING.

Surely just admitting it's wrong, getting recommendations, and fixing the problems would be much better PR, cheaper, and easier?

m, clearly not :(

Admitting a mistake and fixing the problems seems to take a back seat to pretending that everything is OK, and trying to close down legitimate criticism. I guess that at least part of this is because companies don't want to get sued by people. Since the Go Card is the same as the Oyster Card, which is widely used in London (for literally many million trips per day), you can imagine just how much money would be up for grabs if Transport for London sued them.

Brisbane Blog

Welcome to the Brisbane Blog. If you're on holiday in Brisbane, or if you live here and you've got some free time on your hands, you might be wondering about what things there are to do.

The Brisbane Blog lets you know about free, cheap, fun or exciting things going on in Brisbane: meetups, roller derby, burlesque, music, cult movies, local artists, anti-censorship protests, plays, and film festivals, just for a start. I especially like to promote Creative Commons in Brisbane.

My photos on Flickr

Photos from the Brisbanites group on Flickr

Creative Commons Licence

All material THAT I HAVE CREATED on this blog is available for re-use under a Creative Commons Attribution Licence, meaning that you can use it and/or alter it for any reason, including commercial purposes, as long as you attribute it by including a link to http://brisbaneposts.blogspot.com .

ALSO REMEMBER that just because I took a photo of a person and released it under Creative Commons, that doesn't mean you have their permission to use their image for commercial purposes. If I can put you in touch with that person to discuss your signing a model's release, then I will.

Please note that I do NOT own the copyright in most of the photos and videos on this site, so CHECK before you use them.